+- PINE64 (https://forum.pine64.org)
+-- Forum: Pinebook Pro (https://forum.pine64.org/forumdisplay.php?fid=111)
+--- Forum: Pinebook Pro Tutorials (https://forum.pine64.org/forumdisplay.php?fid=117)
+--- Thread: full disk encryption with luks on manjaro xfce (/showthread.php?tid=9052)
full disk encryption with luks on manjaro xfce - limxr - 02-06-2020
This recipe is for a manjaro xfce pinebook pro image installed to an sdcard. This recipe may work with other manjaro pinebook pro images.
First I created a separate partition for /boot that remained unencrypted. Second, I encrypted the existing root / installation using luks.
I used debian os installed to emmc of pinebook pro, any os that supports luks should work (the default os on pinebook pro does not support luks). You may want to make sure to have a good backup first in case something goes wrong.
Code:
===================================
separate partitions for boot & root
===================================
boot to debian on emmc
create new partition layout using gparted
(boot will be on 1st partition & root on 2nd partition)
resize mmcblk1p1 partition to smallest size to create free space
(don't touch ~31m unallocated space at start of sdcard)
copy mmcblk1p1 & paste into remaining free space
format mmcblk1p1 ext4 to delete files
resize mmclk1p1 to your desired size, for me ~800mb
(don't touch ~31m unallocated space at start of sdcard)
label mmcblk1p1 BOOT
resize/move mmcblk1p2 to fill all remaining free space
move files to /boot
sudo mkdir /mnt/boot; sudo mount /dev/mmcblk1p1 /mnt/boot
sudo mkdir /mnt/root; sudo mount /dev/mmcblk1p2 /mnt/root
cd /mnt/boot
sudo mv /mnt/root/boot/* /mnt/boot
set automount for boot partition
sudo nano /mnt/root/etc/fstab
/dev/mmcblk1p1 /boot ext4 defaults 0 2
configure bootloader
get PARTUUID, for me its 781b2cf9-02
sudo blkid|grep mmcblk1p2
add PARTUUID for root and remove /boot/ folder from 3 lines
cd /mnt/boot/
sudo nano boot.txt
#setenv bootargs console=ttyS2,1500000n8 root=PARTUUID=${uuid} rw rootwait bootsplash.bootfile=bootsplash-themes/manjaro/bootsplash append video=eDP-1:1920x1080@60
setenv bootargs console=ttyS2,1500000n8 root=PARTUUID=781b2cf9-02 rw rootwait bootsplash.bootfile=bootsplash-themes/manjaro/bootsplash append video=eDP-1:1920x1080@60
#if load ${devtype} ${devnum}:${bootpart} ${kernel_addr_r} /boot/Image; then
if load ${devtype} ${devnum}:${bootpart} ${kernel_addr_r} Image; then
#if load ${devtype} ${devnum}:${bootpart} ${fdt_addr_r} /boot/dtbs/${fdtfile}; then
if load ${devtype} ${devnum}:${bootpart} ${fdt_addr_r} dtbs/${fdtfile}; then
#if load ${devtype} ${devnum}:${bootpart} ${ramdisk_addr_r} /boot/initramfs-linux.img; then
if load ${devtype} ${devnum}:${bootpart} ${ramdisk_addr_r} initramfs-linux.img; then
sudo apt install u-boot-tools
sudo ./mkscr
boot to manjaro on sdcard
============
encrypt root
============
boot to manjaro on sdcard
add modules & hooks to initram
(the order the modules and hooks are loaded is important)
sudo nano /etc/mkinitcpio.conf
MODULES=(panfrost rockchipdrm drm_kms_helper hantro_vpu analogix_dp rockchip_rga panel_simple arc_uart cw2015_battery i2c-hid iscsi_boot_sysfs jsm pwm_bl uhid)
BINARIES=()
FILES=()
HOOKS=(base udev keyboard autodetect keymap modconf block encrypt filesystems fsck)
COMPRESSION="cat"
sudo mkinitcpio -P
boot to debian on emmc
encrypt existing partition in place with luks
make sure mmcblk1p2 is not mounted
sudo e2fsck -f /dev/mmcblk1p2
sudo resize2fs -M /dev/mmcblk1p2
sudo cryptsetup-reencrypt /dev/mmcblk1p2 --new --reduce-device-size 16M
sudo cryptsetup open /dev/mmcblk1p2 cryptroot
sudo resize2fs /dev/mapper/cryptroot
sudo mount /dev/mapper/cryptroot /mnt/root
configure bootloader
get UUID for mmcblk1p2
sudo blkid|grep mmcblk1p2
get UUID root, for me its 6d1c2895-f2c2-477f-8415-b04f7a4641da
change kernel parameters for encrypted root including display to console & disable splash
sudo mount /dev/mmcblk1p1 /mnt/boot
cd /mnt/boot
sudo nano boot.txt
# setenv bootargs console=ttyS2,1500000n8 root=PARTUUID=781b2cf9-02 rw rootwait bootsplash.bootfile=bootsplash-themes/manjaro/bootsplash append video=eDP-1:1920x1080@60
setenv bootargs console=tty1 root=/dev/mapper/cryptroot cryptdevice=UUID=0d739f2d-92af-40ec-bd8b-c8f241e6a2ce:cryptroot:allow-discards rw rootwait quiet append video=eDP-1:1920x1080@60
#booti ${kernel_addr_r} - ${fdt_addr_r};
booti ${kernel_addr_r} ${ramdisk_addr_r}:${filesize} ${fdt_addr_r};
sudo ./mkscr
reboot to manjaro on sdcardRE: full disk encryption with luks on manjaro xfce - JaceAlvejetti - 02-17-2020
Followed the directions, in the end I reboot to a screen that does ask for my password but when I type its entered into the line below it in plain text, hitting enter doesn't do anything but move to the next line.
after some time modules will start to time out not being able to find firmware so I don't think my text is being entered in the right space.
Any thoughts?
RE: full disk encryption with luks on manjaro xfce - limxr - 02-17-2020
(02-17-2020, 10:43 AM)JaceAlvejetti Wrote: Followed the directions, in the end I reboot to a screen that does ask for my password but when I type its entered into the line below it in plain text, hitting enter doesn't do anything but move to the next line.
after some time modules will start to time out not being able to find firmware so I don't think my text is being entered in the right space.
Any thoughts?
It sounds like the boot process did not wait for the password prompt but just continued. Do you have rootwait set as a bootarg? I've attached my boot.txt to see as example.
RE: full disk encryption with luks on manjaro xfce - JaceAlvejetti - 02-17-2020
(02-17-2020, 01:59 PM)limxr Wrote:(02-17-2020, 10:43 AM)JaceAlvejetti Wrote: Followed the directions, in the end I reboot to a screen that does ask for my password but when I type its entered into the line below it in plain text, hitting enter doesn't do anything but move to the next line.
after some time modules will start to time out not being able to find firmware so I don't think my text is being entered in the right space.
Any thoughts?
It sounds like the boot process did not wait for the password prompt but just continued. Do you have rootwait set as a bootarg? I've attached my boot.txt to see as example.
I do at that and agree that is what it sounds like, heres mine:
setenv macaddr da 19 c8 7a 6d f4
part uuid ${devtype} ${devnum}:${bootpart} uuid
setenv bootargs console=tty1 root=/dev/mapper/cryptroot cryptdevice=UUID=bc3791fa-01e0-471d-9ace-a7cae5035c15:cryptroot:allow-discards rw rootwait quiet append video=eDP-1:1920x1080@60
setenv fdtfile rockchip/rk3399-pinebook-pro.dtb
if load ${devtype} ${devnum}:${bootpart} ${kernel_addr_r} Image; then
if load ${devtype} ${devnum}:${bootpart} ${fdt_addr_r} dtbs/${fdtfile}; then
fdt addr ${fdt_addr_r}
fdt resize
fdt set /ethernet@fe300000 local-mac-address "[${macaddr}]"
if load ${devtype} ${devnum}:${bootpart} ${ramdisk_addr_r} initramfs-linux.img; then
# This upstream Uboot doesn't support compresses cpio initrd, use kernel option to
# load initramfs
setenv bootargs ${bootargs} initrd=${ramdisk_addr_r},20M ramdisk_size=10M
fi;
booti ${kernel_addr_r} ${ramdisk_addr_r}:${filesize} ${fdt_addr_r};
fi;
fi
RE: full disk encryption with luks on manjaro xfce - limxr - 02-17-2020
(02-17-2020, 02:15 PM)JaceAlvejetti Wrote:(02-17-2020, 01:59 PM)limxr Wrote:(02-17-2020, 10:43 AM)JaceAlvejetti Wrote: Followed the directions, in the end I reboot to a screen that does ask for my password but when I type its entered into the line below it in plain text, hitting enter doesn't do anything but move to the next line.
after some time modules will start to time out not being able to find firmware so I don't think my text is being entered in the right space.
Any thoughts?
It sounds like the boot process did not wait for the password prompt but just continued. Do you have rootwait set as a bootarg? I've attached my boot.txt to see as example.
I do at that and agree that is what it sounds like, heres mine:
setenv macaddr da 19 c8 7a 6d f4
part uuid ${devtype} ${devnum}:${bootpart} uuid
setenv bootargs console=tty1 root=/dev/mapper/cryptroot cryptdevice=UUID=bc3791fa-01e0-471d-9ace-a7cae5035c15:cryptroot:allow-discards rw rootwait quiet append video=eDP-1:1920x1080@60
setenv fdtfile rockchip/rk3399-pinebook-pro.dtb
if load ${devtype} ${devnum}:${bootpart} ${kernel_addr_r} Image; then
if load ${devtype} ${devnum}:${bootpart} ${fdt_addr_r} dtbs/${fdtfile}; then
fdt addr ${fdt_addr_r}
fdt resize
fdt set /ethernet@fe300000 local-mac-address "[${macaddr}]"
if load ${devtype} ${devnum}:${bootpart} ${ramdisk_addr_r} initramfs-linux.img; then
# This upstream Uboot doesn't support compresses cpio initrd, use kernel option to
# load initramfs
setenv bootargs ${bootargs} initrd=${ramdisk_addr_r},20M ramdisk_size=10M
fi;
booti ${kernel_addr_r} ${ramdisk_addr_r}:${filesize} ${fdt_addr_r};
fi;
fi
That boot.txt looks fine. I wonder if the initram was generated correctly with mkinitcpio -P when booted to manjaro sd before you encrypted the root partition? From a linux os you could use cryptsetup to open the root partition on the sdcard, mount it, and check the etc/mkinitcpio.conf to make sure all the modules and hooks are loaded in order and the compression set to "cat".
If you need to generate initram again you can probably do so from an arch/manjaro os just make sure the mkinitcpio -P command is using options to point to the sdcard and not the booted os.
Another way you could do this is to decrypt the root partion on sdcard (cryptsetup-reencrypt /dev/mmcblk1p2 --decrypt) then change boot.txt back to non-luks configuration so you can boot into sdcard again.
RE: full disk encryption with luks on manjaro xfce - JaceAlvejetti - 02-17-2020
I backed up prior to doing the encryption, So that's likely where I broke it and here comes my question.
I didn't match the order per the instructions just made sure the items were there guessing that matters from what you said, I am going to restore my backup and I'll do it again.
Thanks!
RE: full disk encryption with luks on manjaro xfce - limxr - 02-17-2020
(02-17-2020, 05:48 PM)JaceAlvejetti Wrote: I backed up prior to doing the encryption, So that's likely where I broke it and here comes my question.
I didn't match the order per the instructions just made sure the items were there guessing that matters from what you said, I am going to restore my backup and I'll do it again.
Thanks!
Yes the order for the HOOKS in mkinitcpio.conf definitely matters, not sure about the MODULES but probably safest just to follow order in recipe.
RE: full disk encryption with luks on manjaro xfce - e-minguez - 02-18-2020
Has anyone being able to do this but for the eMMC? Thanks
RE: full disk encryption with luks on manjaro xfce - as400 - 02-19-2020
@e-minguez I have luks + lvm on nvme drive. But I was never able to make it work with mkinitcpio generated initrd. I use dracut for creating initrd and extlinux.conf for booting on Manjaro.
RE: full disk encryption with luks on manjaro xfce - e-minguez - 05-04-2020
(02-19-2020, 08:03 AM)as400 Wrote: @e-minguez I have luks + lvm on nvme drive. But I was never able to make it work with mkinitcpio generated initrd. I use dracut for creating initrd and extlinux.conf for booting on Manjaro.
I'm trying to make this work out of the box in the manjaro installer here https://gitlab.manjaro.org/manjaro-arm/applications/manjaro-arm-installer/-/issues/4 but even if I think it should work, it doesn't.
Could you please take a look to see if I'm missing something?
Thanks.